Remote reading depends on delivery, context, and network path quality
Teleradiology is not just “send the images somewhere else.” The orchestrator has to decide which study goes to which reader, ensure the right priors are available, and deliver the data over a secure path that behaves predictably under real network conditions.
Remote delivery path
Loading diagram...
What is AWS Global Accelerator?
AWS documentation describing the global edge and network-acceleration service that can help remote workload paths perform more consistently.
Review Global AcceleratorZero-footprint viewing still needs strong identity and retrieval controls
A web viewer lowers operational overhead, but it does not lower the security bar. The design still needs authenticated access, policy-controlled retrieval, and a clean boundary between static application delivery and sensitive clinical data access.
Current AWS HealthImaging guidance makes that boundary concrete for DICOMweb delivery. The viewer sends a bearer access token with the HTTP request, HealthImaging performs initial checks on standard JWT timing claims, then invokes a customer-managed Lambda authorizer to verify signature, issuer, audience, and any custom claims before the service assumes the returned IAM role for the actual DICOMweb request.
OIDC-authenticated DICOMweb retrieval
Loading diagram...
Remote delivery tradeoffs
| Delivery model | Strength | Main tradeoff |
|---|---|---|
| Browser-native zero-footprint viewer | Lower endpoint-management overhead and standards-aware web delivery | Requires a well-designed identity, retrieval, and client-rendering stack |
| Application streaming or remoted workstation | Preserves heavyweight legacy workstation behavior on thin endpoints | Introduces more centralized session infrastructure and operational overhead |
- Keep viewer identity separate from image-store control-plane access.
- Use OIDC-backed, standards-aware retrieval paths such as DICOMweb rather than ad hoc file download patterns.
- Warm or prefetch the studies and priors that the remote reader is likely to need.
- Treat auditability as part of the delivery path, not as a later add-on.
Authorizer latency becomes part of viewer UX
AWS HealthImaging requires the Lambda authorizer to respond within one second and recommends caching JWKS material and valid tokens. That turns identity-path efficiency into part of the image-delivery performance budget, not just a security afterthought.
OHIF Viewer integrated to AWS HealthImaging via OIDC
Specific AWS sample project for deploying OHIF as a zero-footprint viewer with OIDC and AWS HealthImaging.
Review the OHIF OIDC sampleCustom token verification with Lambda authorizers - AWS HealthImaging
AWS documentation for the DICOMweb OIDC authentication flow, including initial JWT claim checks and role-return behavior.
Review the OIDC workflowSet up an AWS Lambda authorizer for OIDC authentication
AWS setup guide for token verification rules, IAM role return structure, and authorizer performance expectations.
Review authorizer requirementsUsing DICOMweb with AWS HealthImaging
AWS documentation for standards-aware web retrieval of image metadata and frames.
Review DICOMweb retrievalKnowledge Check
Test your understanding with this quiz. You need to answer all questions correctly to mark this section as complete.